‘Salvador Stealer’ Targets Banking Customers with Sophisticated Malware

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A new Android-based malware strain designed to harvest sensitive personal and financial information, dubbed Salvador Stealer, showcases advanced capabilities for targeting mobile banking app users. 

This malware is a multi-stage attack tool that embeds a phishing website and hijacks SMS messages. Salvador Stealer collects sensitive user information, including: 

These details have led to speculative links to India, though attribution remains unclear.

The dropper APK designed to install and launch a secondary payload (base.apk) as a new activity
The dropper APK designed to install and launch a secondary payload (base.apk) as a new activity | Source: ANY.RUN

Uncovered and analyzed by the team at ANY.RUN, Salvador Stealer employs a two-stage infection process using a dropper APK, which silently installs and activates the malicious payload, base.apk, on the victim's device. 

The malware masquerades as a legitimate mobile banking app, tricking users into entering their credentials into a fake interface. Once entered, this data—including banking credentials, Aadhaar numbers, and even OTPs (one-time passwords)—is instantly exfiltrated to the attackers via multiple channels.  

Process communicating with Telegram
Process communicating with Telegram | Source: ANY.RUN

Salvador Stealer integrates a well-designed phishing interface directly within the application to deceive users into providing their banking credentials.  

Armed with permissions to intercept incoming SMS messages, the malware captures OTPs sent via text for verification, allowing attackers to bypass two-factor authentication.  

Victim credentials are sent to both a phishing server and a C2 (Command and Control) server controlled via the Telegram Bot API.  

The malware employs advanced persistence mechanisms, such as restarting itself if terminated and surviving device reboots via system-level broadcast receivers.  

The analysis also revealed interesting insights into Salvador Stealer’s infrastructure. The phishing websites and administrative control panels used by the attackers were found to expose sensitive information, including a WhatsApp number linked to a possible operator of the malware. 


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: